\chapter{Introduction}

This project concerns about providing a solution for the un-trustable nature of the currently available computer intrusion detection systems. The solution for a trustable detection system is sought through virtualization which provides a new architecture for computer systems to include security.

The ideal secure system requires that the system is running on top of a secure base. The base of any system is the operating system. Unfortunately operating systems are programs with huge code bases which contain many bugs. These buggy programs can be exploited to break the security of the systems. 

When an application is compromised by an attacker, he can eventually compromise the kernel and when the kernel is compromised he can get control of the whole system. To avoid access of a computer system by an unauthorized person, proper detection of the attack has to be done. The Systems which detect these intrusive activities are called Intrusion Detection Systems (IDS). Once detection has been done, the necessary decision and action needed to take to restore proper trusted state of the system can be done thereafter. Therefore the most important requirement in making a system trustable is to have a reliable detection system which can detect any attack flawlessly.


We will look at the currently available detection systems to identify where the problem lies. The existing IDS reside on the same kernel as the monitored host. Once an attack has occurred, the IDS or the monitored host OS can be modified or attacked by the attacker to hide its intrusive activities, making the IDS unreliable. Due to this reason proper functionality of the IDS cannot be trusted. In a situation as this, the administrators will have no warning that an attack has occurred and the system will continue to function under attack while the administrators keep on thrusting that everything is working fine. The problem in currently available detection systems is because both the IDS and the system that it needs to scan are running on the same kernel, therefore the IDS is open for easy attacks.

The ideal intrusion detection system is a system which can scan the vulnerable host thoroughly while being protected against an attack happening on the host. This requires good visibility into the vulnerable host by the detection system and proper isolation from the vulnerable host to the detection system. The above two requirements are conflicting requirements in the context of a normal computer architecture. Good visibility can be provided if the two are not isolated when isolated proper visibility is reduced. The architecture which allows both good visibility and proper isolation between vulnerable host and the IDS is the use of virtualization. 

Compared to traditional detection systems which run on the same OS, detection systems running on top of virtualization are contrastingly different. The monitored vulnerable OS and the IDS will run on two different virtual machines. The fact that both these VMs run on top of the same hypervisor can provide the visibility into the vulnerable host's state. Virtualization provides a great deal of isolation between VMs running on top of the hypervisor. These properties provided by virtualization can be used to implement a reliable IDS. 

The base of the whole system when using virtualization is the hypervisor. Hypervisor is a small software layer running on top of the physical hardware, consisting of a very small code base. The small size and the limited functionality provided by the hypervisor makes it very hard to compromise. 

There are several ways in which intrusion detection is carried out, such as network packet detection, file system integrity detection and memory integrity detection. File system integrity checking is considered to be possible without too much difficulty as the semantics of the file system are available there itself and can be accessed with semantics from other hosts as well. Recreation of memory semantic is harder on the other hand because meta data about semantics are not easy to access. Therefore memory integrity detecting which needs memory semantics regeneration is much more challenging. The aim of this project is to create a memory integrity detector since it is a challenging research area. Therefore we will mostly discuss only about memory detection and memory semantics regeneration, which are needed for memory integrity checking in this report. 

Memory introspection is the main aim of this project. Memory introspection is the process of viewing the memory of one virtual machine from a different virtual machine. Even though from the surface this seems rather simple but it is a very tedious task. When the detection system runs on the detected host itself, the detector can have access to the state of the system together with the semantics of its operating system. But when the detector is run on a different VM, even though the VM can be provided with the visibility, what the monitor is provided is raw data in bits which does not contain any semantics. For detection to be done properly the semantics have to be regenerated from the raw memory. 

The memory of the VM that is being monitored will be mapped on to the memory of the monitoring VM's memory space. This semantic less raw memory will have to be provided with the semantics to do any useful monitoring. Once the semantics of the mapped memory have been provided the ability to scan the memory of the other VM can be provided.

\section{Motivation}
Virtualization has become a hot topic in the recent past as it has enabled many limitations of conventional physical computers to be overcome. One operating system instance running on a physical computer at a time is no longer true. Many instances of different kinds of operating systems can be run on one physical computer, almost as if they were running on physically different machines. 

The ability to create many different operating system instances on one physical machine has provided many advantages. Some of the advantages of virtualization are straight forward while some advantages are not easily visible.

One of the advantages provided by virtualization is the ability to run operating systems with strong isolation, which can be used to enforce security to applications. This advantage has been used to build intrusion detection systems, rootkit detectors, file system integrity detectors and so on. These detectors are developed specifically to run on virtualized hosts and to scan a different VM, therefore at the time of implementing the detectors the developers have to code to scan a different VM. It would be very useful if existing virus scanners, intrusion detectors, rootkit detectors could run without modifications and scan the integrity of another VM running on the same hypervisor. 

In order to achieve the above, a virtual interface of the monitored VM will have to be recreated on the monitoring VM. This virtual interface should provide a complete interface to the monitored VM, just as if it is running on that OS. This would be the ultimate challenge to achieve in the intrusion detection systems using the benefits of virtualization. But this challenge is still far away to achieve, therefore as a starting step towards achieving the ultimate challenge this research is been done. Another fact to make this research start from implementing a basic integrity mon10itor is because the currently implemented systems have not released any source of their detectors even though research papers have been written where they have implemented such detectors.


		
\section{Objectives}

The Objective of the project is to develop an infrastructure for a very much better, very hard to exploit intrusion detection system by using the positive architectural attributes provided by virtualization.\\
Open source virtualization technologies and open source host based intrusion detection systems will be integrated to get the security gains attainable by virtualization. \\ \\
In this project I will be creating a inter-VM communication mechanism used to provide the state of the monitored host VM to the intrusion detection VM without causing any vulnerabilities to the hypervisor and maintaining isolation between the VMs. \\
The next step would be to provide an emulation of the monitored VM in the detection VM so that the existing HIDSs can detect the intrusive activities from a different VM. \\
Throughout the design and implementation the additional functionality would be added after studying the impact it can have on the security. Further in a way such that it would not degrade the security of the system by opening up vulnerabilities.  \\


\section{Issues to Address}
When memory is mapped to another VM, the mapped memory appears to be just raw memory without any semantic meaning. Yet what is required is to get the state of the other VM through the kernel data structures residing in that mapped memory. 
The problem in providing semantics is because the kernel object's structures have an ability to change even by a different compiling configuration of the same kernel.  Providing semantics to raw memory is still an area which has not yet been studied in a higher interest by the research community. Some regeneration of semantics has been done by the forensics community.

%\section{Developments in the Field}

%There are many research papers which describe how secure applications can be built on top of virtualization. Intrusion Detection is one of the Secure applications which virtualization technology enables. \\ \\
%Garfinkel in his paper \cite{garfinkel:vmi} gives the importance of virtualization in Intrusion Detection. He implements a Intrusion Detection System on top of a commercial Virtualization Technique and provides a general architecture which can be used to come up with a new Intrusion Detection System. \\
%Other than the above implementation, not many systems of this nature exist. But in the resent past there have been some research papers to implement Intrusion Detection Systems Using XEN. Nguyen Anh Quynh is a Japanese researcher who has come up with the research papers in the very recent past implementing Intrusion Detection activities on Xen \cite{XenFIT} , \cite{rootkit}. \\
%This area of Virtualization is a field that is gathering interest, in the near future more applications of this nature will be sought by many people.


%\section{also add these lines}

%To address this limitation, recent solutions based on virtual machine (VM) technologies advocate placing the malware detection facilities outside of the protected VM ("out of the box"). However, they gain tamper resistance at the cost of losing the native, semantic view of the host which is enjoyed by the "in the box" approach, thus leading to a technical challenge known as the semantic gap. \cite{vmIntroSemantics}

%systematically reconstruct internal semantic views (e.g., files, processes, and kernel modules) of a VM from the outside in a non-intrusive manner.


%The threats above are partly attributed to a fundamental limitation on the defensive side: Most host-based anti-malware systems are installed and executed inside the very hosts that they are monitoring and protecting (Figure 1(a)). Although such "in the box" deployment will provide an anti-malware system with a native, semantic-rich view of the host, it in the meantime makes the anti-malware system visible, tangible, and potentially subvertable to advanced malware residing in the host. To address this problem, there have recently been a number of solutions [32, 34, 37] that advocate placing the intrusion detection facilities outside of the (virtual) machine being monitored. Based on virtual machine technologies [17, 26, 31], such an "out of the box" approach significantly improves the tamper-resistance of intrusion detection facilities. A virtual machine (VM) achieves strong isolation and confines processes running inside the VM such that, even if they are compromised by malware, it will be hard, if not impossible, to compromise systems outside of the VM.

